Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add buildah-sast task prototype #1488

Closed
wants to merge 1 commit into from
Closed

Add buildah-sast task prototype #1488

wants to merge 1 commit into from

Conversation

mmorhun
Copy link
Collaborator

@mmorhun mmorhun commented Oct 3, 2024
edited
Loading

This PR brings a prototype of buildah-sats scan task. The goal is to keep build with sast scanning as close to the original build as possible while providing mechanisms to instrument the build with needed sast scan tooling.
This includes:

  • Ability to override the image used for the build step
  • Ability to override the computeResources requirements for the task
  • Ability to modify Dockerfile prior to running the buildah build
  • Ability to specify additional volume mounts for the buildah build
  • Ability to process the captured data after the container build
  • Ability to prevent the resulting image from being used as the task result
  • The instrumented build-container task will be provided with the same inputs as the original build-container task
  • The instrumented build-container task will be able to upload the SAST scanning results to image registry

@mmorhun mmorhun self-assigned this Oct 3, 2024
@mmorhun mmorhun marked this pull request as ready for review October 7, 2024 15:11
@openshift-ci openshift-ci bot requested review from MartinBasti and tisutisu October 7, 2024 15:11
@tkdchen
Copy link
Contributor

tkdchen commented Oct 8, 2024

The gola is to keep build with sast scanning as close to the original build as possible while providing mechanisms to instrument the build with needed sast scan tooling.

What code ensures this?

@mmorhun
Copy link
Collaborator Author

mmorhun commented Oct 8, 2024

The gola is to keep build with sast scanning as close to the original build as possible while providing mechanisms to instrument the build with needed sast scan tooling.

What code ensures this?

@tkdchen it's done by kustomize

@tkdchen
Copy link
Contributor

tkdchen commented Oct 8, 2024

The gola is to keep build with sast scanning as close to the original build as possible while providing mechanisms to instrument the build with needed sast scan tooling.

What code ensures this?

@tkdchen it's done by kustomize

Does "as close to the original build" mean the new task has the same build functionality but with needed sast scan tooling?

@mmorhun
Copy link
Collaborator Author

mmorhun commented Oct 9, 2024

Does "as close to the original build" mean the new task has the same build functionality but with needed sast scan tooling?

@tkdchen yes, it should be the same but with sast interceptors. Also the sast build result is not used anywhere (just dropped), however the task produces sast report.

@mmorhun mmorhun requested a review from tkdchen October 9, 2024 12:44
@kdudka kdudka mentioned this pull request Oct 10, 2024
Draft
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Oct 22, 2024

The following users are mentioned in OWNERS file(s) but are untrusted for the following reasons. One way to make the user trusted is to add them as members of the konflux-ci org. You can then trigger verification by writing /verify-owners in a comment.

  • kdudka
    • User is not a member of the org. User is not a collaborator. Satisfy at least one of these conditions to make the user trusted.
    • task/buildah-sast-oci-ta/OWNERS
    • task/buildah-sast/OWNERS

@mmorhun mmorhun mentioned this pull request Oct 22, 2024
Merged
@mmorhun
Copy link
Collaborator Author

mmorhun commented Oct 24, 2024

Closing this sample PR.
Actual changes and description see in #1525

@mmorhun mmorhun closed this Oct 24, 2024
@mmorhun mmorhun deleted the STONEBLD-2804 branch October 24, 2024 09:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ralphbean ralphbean Awaiting requested review from ralphbean

@arewm arewm Awaiting requested review from arewm

@rcerven rcerven Awaiting requested review from rcerven

@mkosiarc mkosiarc Awaiting requested review from mkosiarc

@chmeliik chmeliik Awaiting requested review from chmeliik

@tnevrlka tnevrlka Awaiting requested review from tnevrlka

@MartinBasti MartinBasti Awaiting requested review from MartinBasti

@tisutisu tisutisu Awaiting requested review from tisutisu

@tkdchen tkdchen Awaiting requested review from tkdchen

Assignees

@mmorhun mmorhun

Labels
do-not-merge/invalid-owners-file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mmorhun @tkdchen